FIM-CLM
hi, I have configured the FIM-CLM. But i doesnt know how to work with it.When i request the certificate for the user,it doesnt gone for any request and approval process. it get execute and status shows completed. For the SMART CARD , its throws u "Invalid smart card serial number. Smart card information not available for the supplied smart card." I am using OMNIKEY SMART READER and HID Cresendo C700 card.. Regards, Sridhar.R
October 11th, 2010 9:46am

What kind of certificate workflow do you want to realize: Self-Service, Manager-initiated? What smartcard middleware are you trying to use? To get more familiar with FIM-CM I recommed to check if the "CLM Sample Profile" works in your environment. With only a few configuration settings you can deploy a self-service scenario in which a user with the appropriate permissions can initiate and enroll a soft certificate to its local certifcate store In the next step you can modify the scenario in such a case that not the end use itself, but a cetificate manager initiates the certificate request, FIM-CM distributes a one-time-password and the end user can enroll the soft certificate in conjunction with the one-time-password. To deploy the sceanrios I recommend this Finally if you got this running you can move from distributing soft certificates to smartcards. /Matthias /Matthias
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2010 10:25am

SAFESIGN -Middle ware. Thanks for the reply.
October 12th, 2010 1:57am

I have succeeded with self service ,Then i have set up CM for active directory permission.When requesting for certificate it executes without any approval of Approvers,Enrollmentagents,ProfileAdmins...Below i have attached the Review details of a request You can review details of your particular request. If appropriate, you can then execute or abandon the request. General Information Type: Enroll Status: Completed Originator: FIM\Subscriber1 Target: FIM\Subscriber1 Submission date: Tuesday, October 12, 2010 4:24:15 PM Comments: Data collection completed: Profile template used: USER FIM CM Sample Profile Template Registration Information This section displays data collected during the request’s processing Sample Data Item: Subscriber Request a certifica Advanced Information Expand this section to display information about the profile from which the request was made, as well as the newly-created profile. Certificates In Target Profile This section lists the certificates added to profile when the request completed. <input id="requestDataControlxcertificatesOnProfileUserControlxGridCertificates" name="requestDataControlxcertificatesOnProfileUserControlxGridCertificates" type="hidden" /> Common name Certificate template Status Archived Expires 11 Subscriber1 User Valid 10/12/2011 4:14 PM False <tfoot onmousedown="igtbl_headerClickDown(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseup="igtbl_headerClickUp(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseover="igtbl_headerMouseOver(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmousemove="igtbl_headerMouseMove(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseout="igtbl_headerMouseOut(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");"> </tfoot> History Expand this section to view the request’s history. <input id="UltraWebGrid1" name="UltraWebGrid1" type="hidden" /> Action User Time Event Details Create Request FIM\Subscriber1 10/12/2010 4:24 PM Approve Request FIM\clmAgent 10/12/2010 4:24 PM Execute Request FIM\Subscriber1 10/12/2010 4:24 PM Create Profile FIM\Subscriber1 10/12/2010 4:24 PM Send Request To CA FIM\Subscriber1 10/12/2010 4:24 PM Retrieve Response From CA FIM\Subscriber1 10/12/2010 4:24 PM Request Certificates Operation Completed FIM\Subscriber1 10/12/2010 4:24 PM Install Certificate FIM\Subscriber1 10/12/2010 4:24 PM <tfoot onmousedown="igtbl_headerClickDown(event,"UltraWebGrid1");" onmouseup="igtbl_headerClickUp(event,"UltraWebGrid1");" onmouseover="igtbl_headerMouseOver(event,"UltraWebGrid1");" onmousemove="igtbl_headerMouseMove(event,"UltraWebGrid1");" onmouseout="igtbl_headerMouseOut(event,"UltraWebGrid1");"> </tfoot>
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 7:07am

Do you expect an approval step, but the request is executable without approval? Have you configured your FIM CM profile template "USER FIM CM Sample Profile Template" correctly? Change the general settings of the Enroll policy Deselect "Use self serve" Number of Approvals = 1 and in the section "Workflow: Approve Enroll Requests" Select a appropiate AD user / group that should approve the request /Matthias/Matthias
October 12th, 2010 7:37am

yes i like to do an approval step process I have copied the default FIM CM Sample Profile Template and using it as per FIM 2010 TECH NET SITE I have deselect the "Use self serve", Then i can't able to request for certificate,i got these error "Current user does not have access to any profile templates" If i have checked the "Use self serve" ,Request can be processed..I think i have done mistake in profile template creation.
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 8:59am

No, your permission settings are incorrect. You may need three different roles/groups: Subscribers: all users who should execute the cert request Managers: all users who should be able to initiate the cert request Approvers: all users who should approve a cert request Can you post the permissions you configured on the 5 magic FIM CM points? 1. Service Connection Point 2. FIM CM profile template 3. Certificate template 4. Target User group, e.g. Subscribers 5. CM Enroll policy /Matthias
October 12th, 2010 9:12am

hi Matthias, Workflow: General This section displays workflow information related to enrollment of this profile template. Policy enabled: Yes Self service enabled:No Enrollment agent required: Yes Allow collection of comments: Yes Allow collection of request priority:Yes Default request priority: 0 Number of approvals: 1 Number of active or suspended profiles/smart cards allowed: Unlimited Workflow:Initiate Enroll Request NTauthority\system GRANT FIM\Subscribers GRANT FIM\Initiators GRANT Workflow:Approve Enroll Request NTauthority\system GRANT FIM\Approvers GRANT Workflow:Enroll Agent for Enroll Request NTauthority\system GRANT FIM\Enrollmentagent GRANT here the enroll policy settings of my Profile template 2 ) Service not found Under "Configuring the FIM CM Service" in technet they have given in "Step 5: Configure FIM CM to start automatically" certificate management Services,But in my FIM CLM server ,I cant find service running on these name...In my server,i have seen the services are "Certificate Propagation" and " Forefront Identity Manager CM Update Service " .Need to clarify where is the certificate management Service..Whether i have missed something while configuring...
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 2:05am

your scenario require the followig permission configuration: Service Connection Point FIM\Initiators: Read, CM Request Enroll Active Directory Groups FIM\Subscribers · FIM\Initiators: Read, CM Request Enroll FIM CM profile template · FIM\Initiators: Read · FIM\Subscriber: Read, CM Enroll Certificate template · FIM\Subscriber: Read, Enroll FIM CM Management Profile Template · General Settings o Policy enabled: Yes o Self service enabled: No o Enrollment agent required: No o Number of approvals: 1 · Enroll Policy o Workflow:Initiate Enroll Request: FIM\Initiators GRANT o Workflow:Approve Enroll Request: FIM\Approvers GRANT /Matthias
October 14th, 2010 3:17am

hi, when i initiate a certificate request through an initiator for the testuser,its request status is pending..below is the review status of the approver Status Type Submiited Date Orginator Target Priority Comments DN Pending Enroll 10/14/2010 FIM\Initiator FIM\carduser 0 Unknown there is no option for approver to execute the Request...
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2010 2:49am

add the following permissions: Service Connection Point FIM\Approvers: Read, CM Audit FIM CM profile template FIM\Approvers: Read /Matthias
October 15th, 2010 2:56am

hi matthias, yet I am facing the same problem,not yet succeeded with manager initiate... Error: Active Directory Certificate Services could not process request 21 due to an error: ASN1 bad tag value met. 0x8009310b (ASN: 267). The request was for FIM\CLMUSER. Additional information: Error Parsing Request
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 8:57am

typically this error corresponds with clmAgent certificate problems. At which point of the workflow the error comes in place? During the manager initiation process? During the user execution process ? Is your clmAgent certificate operational, aka not expired ? Did you renew this certificate in the past? /Matthias
October 19th, 2010 9:18am

Yes i have renewed the Certificate...I need a clarification on the flow Of Manager Initiate.. Initiator will initiate the Certificate for the user Approver will approve the request.. The certificate will be Executed .Profile will be created,Request to CA,Request operation completion and installation of Certiificate..please correct if i am wrong.. ********************************************************************************************************************************** below is my error details 1) When i request the Certificate through initiator ,Status requests is pending... Create Request FIM\initiator Approve Request FIM\CLMAgent...here when ever i request the for certiifcate it shows approve request to CLMAGENT,it does not go to Approver..the status of the certiifcate in pending... You can review the details of a particular request, and change related information for it, as your permissions allow. General Information Type: Enroll Status: Pending Originator: FIM\CLMUSER Target: FIM\CLMUSER Submitted at: Thursday, October 21, 2010 5:07:52 PM Comments: sdsdsddddddddcdscscdc Data collection complete: Profile template used: Copy 2 Of FIM CM Sample Profile Template Request priority: 0 History Expand this section to view the request’s history. .UltraWebGrid1-0-ic{ overflow:hidden; text-overflow:ellipsis; border-left-width:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;}.UltraWebGrid1-0-aic{ overflow:hidden; text-overflow:ellipsis; border-left-width:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;}.UltraWebGrid1-0-rlc{ overflow:hidden; text-overflow:ellipsis;text-align:center;}.UltraWebGrid1-0-hc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-0-fc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-hc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-shc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-fc{ overflow:hidden; text-overflow:ellipsis;} @media print{.UltraWebGrid1-crc THEAD{padding-top: 1px;}#UltraWebGrid1_main, #UltraWebGrid1_div, .UltraWebGrid1-crc{overflow: visible !important;}} <input id="UltraWebGrid1" name="UltraWebGrid1" type="hidden" /> Action User Time Event Details Create Request FIM\CLMUSER 10/21/2010 5:07 PM sdsdsddddddddcdscscdc <tfoot> </tfoot> ********************************************************************************************************************************* 2 ) Service not found Under "Configuring the FIM CM Service" in technet they have given in "Step 5: Configure FIM CM to start automatically" certificate management Services,But in my FIM CLM server ,I cant find service running on these name...In my server,i have seen the services are "Certificate Propagation" and " Forefront Identity Manager CM Update Service " .Need to clarify where is the certificate management Service..Whether i have missed something while configuring...
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2010 1:54am

The service you're missing is the FIM CM Update Service, which automates task of generating requests for renewals or updates for existing smart cards and certificates. It's an optional component and not (!) needed for basisc/standard workflows. If you're missing the service you probably didn't select during the inital setup of FIM CM. /Matthias/Matthias
October 21st, 2010 7:44am

Hi, When you have a new card (means the card is new to your FIM CM environment), insert it into your cardreader and then in FIM CM choose "View details of the smart card currently in the reader" and get this message "Invalid smart card serial number. Smart card information not available for the supplied smart card", dont worry. This does not mean your card is not usable. Just issue the certificates to your card (e.g. by running "Enroll a user for a new set of certificates or a smart card", choosing your target user and then running "Issue a permanent smart card to this user"); this will just work. And starting from now you can also view details of the smart card without getting the invalid serial number message. cheers, alphalz
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2012 2:31am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics